Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Rajesh writes "According to F-Secure, ICANN (Internet Corporation for Assigned Names and Numbers), the organization responsible for the global coordination of the Internet's system of unique identifiers, should introduce a .safe domain name to be used by registered banks and other financial organizations."

But wouldn't something a little more, well, financially sound be better..safe just makes me think of child protection sites, law enforcement security boards and such.
I know.fin is taken, but how about someone put a little more thought into this one. I agree we possibly COULD use a.safe, but for other purposes.

An awkward bit of history, back from when you had to follow the rules when registering domains and the US didn't have their own TLD, so they used.gov,.com,.org,.edu etc as their own and asked everybody else to use their own national TLDs.

Part of me misses the enforced rules bit, as now you can't tell where a website actually originates for. Anybody remember all the.to domains? fly.to, go.to etc, none of which came from Tonga.

Notice how they call their form "secureapp.html" in order to give someone a false sense of security so they can go ahead and fill out the form with their social security number. Then submit it to an unencrypted action.

A.safe domain will give scammers and idiots more ammo and less reason to actually care about security.

I can see a reason for a.xxx tld, that makes perfect sense, because it's descriptive of the content..safe isn't descriptive of crap...You know there will be unsafe.safe sites.

When I was young and full of myself, I used to set up my security systems to "talk smack" when I foiled cracking attempts...Took me only a very little amount of time to realize that this sent the wrong message, because when you frame it in the terms of a challenge, the cra

It's like they keep on calling Oracle "Unbreakable". Issue a challenge and the hackers will meet it. everybody who really knows what their doing keeps their databases behind firewalls so you can't access them from the outside. It doesn't matter if somebody says it's unbreakable, because it's not worth taking the risk.

I'm beginning to see the TLD system as more of an inconvenient waste of time thanks to initiatives like this. It will challenge hackers and make the average Net user even more gullible and trusting, thinking the.safe tld somehow confers mystical powers on the website.

Domains are easier to remember than IP addresses, but in that convenience lurks the bugaboos we see now. The average user clicks links blindly -- he/she has no idea that the URL beneath the anchor tag may not be going where they think it is.

Why is it that everyone seems to think a company that transfers money and holds money in accounts is a bank? Your utility companies do that, credit cards are issued by non-banks all day, et cetera. You might as well argue that Final Fantasy Online is a bank - you can purchase in-game currency, give it to someone else, then have it converted back to real currency. Do rechargeable, releaseable gift cards make every store in the mall a bank? Is my cellular phone company a bank? My cell phone can make payments for me, even.

Bank regulations aren't about little-guy money transfers, and wouldn't help in virtually any of the "omg paypal skrooed me" situations (which, I might note, I've never actually seen be anything other than the fault of one of the two end-users. Yes, PayPal freezes accounts too easily, but frankly, if you can't tolerate a several-day money lag, you shouldn't be transacting online at all.) Bank regulations are about the investment of held capital and so forth, to prevent messes like the 1914 commodity crash or the 1980s savings and loan scandal. Say what you will about PayPal, but their back-end investments are safe, conservative and shrewd. No bank regulations would affect PayPal in any way that the end users would find significant, other than to increase existing rates (not by enough to affect most transactions, but it would kill the micropayment system dead.)

The next time you go complaining about regulations, maybe you should name the specific regulation you want. That way, when people read what you say, they won't do what I did, and assume you're some clueless whiner who just wants to repeat what everyone else says to sound smart, when bitching about an online business that they heard screwed a friend of a friend of a friend.

Don't feel bad. I'm miffed that the government uses.com's (and.nets, etc) instead of.gov. I also think they shoulda given a.gov domain for the yearly free credit report stuff. As much as I trust myself, before entering all that juicy info, I actually found links to the.com from the.gov websites, etc. first...

Yes but they'd still need the.co.uk variation as that's what people expect to use. And anyway, the problem with phishing is that people don't read the URL or pay any attention to the SSL status. I can't set up a phishing site at genuinebank.co.uk (cause Genuine Bank will already be using it) any more easily than I can at genuinebank.plc.uk.

True, but user education is a major part of phishing prevention, and educating users to look for the.plc.uk should be a relatively simple task. It's also a relatively simple task to redirect genuinebank.co.uk to genuinebank.plc.uk.

Also, although you can't set up a phishing site at, say, bankofscotland.co.uk, you could conceivably set one up at bankofscotalnd.co.uk, which would be easy to miss at a glance. You wouldn't be able to set up bankofscotalnd.plc.uk though, so by looking for the.plc.uk domain

I just don't trust anything that comes out and says "trust me, I'm safe." This isn't a good idea, it teaches people to let their guard down as opposed to being aware of the risks of blanketly trusting a website. What if someone gets some exploit code on one of these sites? I think it'll just take a few notable hacked up website before the whole trust of.safe is lost.

Why, F-secure can offer a service to make sure this doesn't happen! In fact, why not just say F-secure is responsible for validating sites in this TLD. That would be great.

The idea isn't really flawed, but the source is questionable. Its like a company that makes carbon filtering equipment says that all power plants should meet X carbon emissions. Great idea, not news, and blatantly self-serving.

The tools are already in existence to secure communications, and they are already in use. The flaw in the system is not the domain names or secure connections but the users who are deceived into accessing other sites and to give up personal details..safe will not end deceptive practices, especially when success = money.

Education is the way to secure users, that and banks and other entities that really require security to actually employing some decent se

I just don't trust anything that comes out and says "trust me,I'm safe."

Like politicians?

Then there's the girls who wear t-shirts that say "Cutie". If you really are a "cutie", you don't have to wear a label to tell us that you are. It therfore follows that the people who wear those shirts are roughly as "cute" as politicians are trustworthy.

The funny thing is that these shirts tend to end up on girls that are actually cute. The difference is in the cost of exposing the lie. It's stands out when a uncute girl wears a shirt that says "cutie." Ironic goals statements aside, most girls probably want to avoid wearing a cutie shirt when they aren't cute. Whereas exposing the lie of a politician who is spinning some truthiness on the news involves much more digging around to expose the lie. So in a sense, politicians can get away with lies, while unc

I don't understand the question. Google does lots of things, do I trust google to do what? Provide good search results? Keep my email secure? Keep my private data? (answers: yes, mostly yes, and no). Regardless, these trust relationships aren't formed by some fancy domain or prolomation of security, they're developed over time through their reputation and my evaluation of them as a service provider. That's how trust should be built and maintained.

As long as people continue to click on links they get in emails, a not verify that they are actually at their bank's website, then there's going to be problems with phishing. It doesn't matter if the url ends in.com, or.ca, or.safe, or.xxx. If you're clicking on links in emails and getting scammed, then changing the domain name won't help anything. I'm surprised there's not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven't resorted to more complicated methods.

Even more, I wasn't even a customer of their bank but still got the e-mail, so that raised an alert before even reading that text through.

I take this a step further by instructing even those financial institutions that I do business with to not contact me by email. That lets me safely junk all financial stuff without thinking about it; either it's an organization going directly against my written instructions or it's a phishing attempt, but neither is welcome.

I would like to know my more banks don't offer more secure methods of authentication like RSA keytags and such. This would completely wipe out most of the problems with phishing. Instead they think up other useless methods like making you click on an onscreen keypad to enter your password, or asking you what your favourite movie is. I think that many people would pay for the keytag themselves if they were presented with the option, just for having the peace of mind knowing they are more secure. I know

Why not pick something that will last a bit longer. Instead of doing something along the lines of "that should hold them off for a couple months", or "it's 1/2 a step better than our competitors who have equally crappy security measures" or "it's not actually more secure, but our dumb users will think it is", they should be putting security measures in place that will actually make a difference, and won't be broken by crackers in a matter of weeks.

You've half-answered yourself - savvy users understand about phishing in the first place, know about password security, etc etc. It's the unsavvy users that are being fooled.

While I appreciate you're picking on the word 'safe', you're picking on it for the wrong reason. People will still be caught out by www.bank.safe.banking.login/login.asp instead of www.bank.safe/banking/login/login.asp; but that's not what.safe is trying to address. It's trying to address s

People are still pretty dumb and easily tricked, the kind of people that get duped into putting their info in a phishing site are the same people that could be tricked by a fake URL...i.e. safe.financialsite.com or yourbank.com/safe or any other obvious ways to add safe into a URL.

People respond to phishes and Nigerian scams and give all their usernames and passwords voluntarily without ever touching their banks or the safe domains. How can banks protect against such users? Why should it be the bank's responsibility to tell the customers, "It is not a good idea to paint your user name and password on the side of your home in 26inch high letters".

There is a much greater need to tell when a site is NOT safe. There is a reason that URLs with IP addresses and domain names such as "www.paypal.secure.dodgydomain.info/..." are still effective.
Introduction of a new TLD is not a replacement for user education.

If a.safe TLD was introduced then too many people would automatically have the assumption that their PC would never be infected from visiting a.safe site nor would it's details on them ever be compromised. I don't believe anyone can say with 100% certainty that all.safe domains would be hacker proof, in fact I think hackers would be much more attracted to trying to break into.safe sites in the knowledge that people wouldn't automatically be vigilant when visiting those sites.

Let us create a separate domain for phish hosts! All phishing sites must clearly identify them as phishing sites to get a chance to be listed in that domain. Of course, compliance is voluntary. It makes as much sense as the safe domain for the banks.

Who does it, based on what criteria and how are the criteria enforced?

I agree that this is the key issue. The answer has to be, *the entity that guarantees the losses if they get it wrong*. If (big if) you can get a workable system based on this, then it will be meaningful. Otherwise it will just be a moneyspinning scam like secuirty certificates.

But surely, to the inexperienced, anything can look "safe" e.g. www.urbank.safe [bizarremag.com]. As others have already suggested above, it's better to educate than attempt structural changes to protect the naive.

Many worms change your HOSTS file and there's also the good ol' DNS poisoning, so this ".safe" thing can't be 100% trusted. And if it can't be 100% trusted, we might as well stick to what we (don't) have.

Well you are right indeed and I totally understand, but my main beef is calling this ".safe", because it gives the Average Joe the thought that if his bank's URL ends in ".safe", then he is totally and completely, well, safe:)

Maybe picking ".reg" or something like it might be more realistic, so to say.

Simply reversing the arguments doesn't work here. The.xxx at most guaranteed that you'd get porn at a.xxx site (and it didn't even really do that). That's something you don't really need; you can verify that a porn site has porn just by looking at it. You could try to decree that all.com sites would now be porn-free, but that's impossible.This is the converse: if all.safe sites are indeed safe, you've learned something valuable about the site just from its name. It doesn't matter that there are still

The problem with bank sites and such isn't that the sites themselves get hacked - seriously, when's the last time Wachovia or Capital One's website itself was hacked and your account info stoplen from the site itself?

No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to

No, the problem is things like Phishing scams and XSS vulnerabilities and stupid users who can't tell the difference between http://www.paypal.com/ [paypal.com] and http://www.paypal.com.scammer.cn/ [scammer.cn] or who rea and follow emails from people they've never even heard of to claim their $500 gift certificate to Cracker Barrel or something equally ridiculous.

The odd thing about domain names is that the "Top Level" domain name is shown at the bottom (a.k.a. the right hand side). This makes it especially easy to create reasona

The usual phishing tricks will work, and they'll work even better. Phisher creates a link to a phishing site, and the text of the link will point to a ".safe" domain. Naive user is as naive as ever, and thinks "Well, I know that '.safe' means that it's a genuine site, so it's safe to click on it" and cheerfully submits his/her private identity to the phishers.

This won't solve a thing. It is trivial to fake headers; apparently the author did not do his homework. I could easily set up a spam spew to send phishing email from say, www.bankofamerica.safe or the like. A better, more practical solution is to use email signing like OpenPGP or GNUPGP. This is much, much harder to fake. See the Wikipedia [wikipedia.org] article subsection Security quality. Bank customers simply obtain the PGP public key from the bank's website and use it to validate any email received. This will p

On the face of it, the idea is not completely awful. As usage of the internet grows, the organization of the domain names will grow in complexity and scope.

We have.gov for the US government sites. This makes sense. All government-owned web sites are then managed in one place. We have.edu for education institutions.

Financial institutions are a major power in our society, like government, so maybe they should have a specific domain. This would make looking for a financial place predictable. "I need to find my bank's web site. Ah, I will try bankname.bank" knowing that you will at least get a real bank, and not a phishing scam built on a typo in a name..shop for on-line shops that actually sell through their web site. eg. Amazon, TigerDirect

There are other major market segments which could justify a TLD like libraries (.lib?) and medical (.med?).

We should not let a fear of abusers stop us from trying to organize things in a predictably way. With more TLD options, we could possibly avoid domain names having to be ever longer because their name was already taken.

For the most part, I agree with this. It's funny how DNS is starting to look like the original LDAP recommendations on the name hierarchy. LDAP went from an organization based hierarchy to schemas that started looking at lot like the DNS TLDs. And DNS itself may start looking at lot like how LDAP was. As more companies are becoming international, the idea of arbitrary geographical boundaries to information and yes, commerce, seems somewhat quaint.

I've already got the calls saying "But it said I won a free Ipod." (despite the fact they didn't know what it was but thought it would make a good Christmas present) If they are that trusting of a random pop-up, imagine how easy it would be for anyone with a.safe name to rip them off. I'd have to say think of the grandparents on this one and call it a bad idea. BTW, if you disagree with me, you hate the elderly.

Do most people here forget that there's a thing called a safe in most physical banks? You know, the place where they hold the money, the thing the crooks try to crack into?Everyone is either taking this way out of context (why should this be used to whitelist sites instead of the.xxx domain or other blacklist approaches?) or there's a lot of funny going on in this topic that no one is picking up on.

Maybe.vault or.yourmoneygoeshere or.weholdyourmoney would be a lot clearer? Can we also get a.mattress

Let me propose something completely different than 95% of the above responses. This is actually not a bad idea, should proper restrictions, criteria, and identity vetting be put in place for requesting institutions. In fact I would go as far to say this is a brilliant idea. The article makes the arguments for it that are more than sufficient IMHO. Now focusing on ".safe" is not so great to me. I believe one of the alternate suggestions, ".bank", is a much better idea.

Let me propose something completely different than 95% of the above responses. This is actually not a bad idea, should proper restrictions, criteria, and identity vetting be put in place for requesting institutions. In fact I would go as far to say this is a brilliant idea. The article makes the arguments for it that are more than sufficient IMHO. Now focusing on ".safe" is not so great to me. I believe one of the alternate suggestions, ".bank", is a much better idea.

I know the whole point of DNS is that it's hierarchical. But with all these suggestions like ".safe for financial institutions,.xxx for porn" combined with countries with "desirable" ccTLDs selling domains (Don't get me wrong, it's their domain space and they can do what they wish. But I never knew so many English-language television companies were based out of Tuvalu), there seems little point in having a TLD-based hierarchy at all.You may as well allow any organisation to register anything as a TLD. T

F-Secure have a particular knack for the headline grabbing initiative don't they now? They spent considerable time and effort a few years ago warning us of the virus epidemic that would engulf mobile phones. To date we've still only seen one proof of concept virus, and that required the user to physically install it.Meanwhile their security software is insecure: http://www.heise-security.co.uk/news/87063 [heise-security.co.uk] - leaving a buffer overflow in your flagship security suite is a tad dumb.

I'd make it very hard to get a domain there, and require a big wodge of money to be deposited as a security.It's all very well to say "But users should be ultra-alert at all times, check the IP address of the website they've gone to, close all of their curtains before typing in their password and wear a tinfoil hat before thinking of their mother's maiden name." but it's not actually very useful in the real world.

Users suck - we need to design systems to ameliorate their suckiness, not demand changes in hum

From reading the headline, I thought this was the converse of a.xxx domain, which actually might not be such a bad idea. Rather than try to decide what should and should not go into a.xxx domain and have to worry about censorship, you use the.safe domain voluntarily for kid stuff and offer parents/schools software to restrict kid browsing. And it would hopefully limit the will-somebody-please-think-of-the-children complaints. There would be little danger of censorship since it would be difficult to ju

Most of the phishing scams I have seen use either the IP address or the domain of the phishing webpage itself. Having the banks use.safe would be as effective as having banks not use their IP addresses,.nl,.kr,.ru, and a few other domains that phishers use. People already give away their information to totally bogus addresses, so how does using.safe make one iota of difference?

Ironically, this is *exactly* what secure certificates were supposed to do, remember? Prove who you are to verisign and they'll give you a certificate so that anybody who comes to your site can see that verisign has verified that it's you.

This is about as good an idea as RFC 3514 [rfc-editor.org] describing the Evil Bit. Like 3514, it'll essentially guard you against unwitting interaction with the people you don't have to worry about unwitting interactions with. The bad guys will, of course, ignore the rules and hijack.safe names to host decidedly unsafe content. But we knew this.

Nothing. Or to be more exact, nothing on top of the already existing mechanisms. The verification mechanisms are already in place. Joe Bloggs cannot get a SWIFT address or a Federal Reserve deposit insurance. Joe Bloggs cannot register himself as a bank. All you have is to convince the relevant institutions in each participating country to participate in the approval process.